Conversation
…dling (#2579) * feat: enhance Discord invite generation with application-specific handling - Added applicationId and role validation in the invite generation process. - Updated the invite retrieval method to support application-scoped invites. - Enhanced middleware to pass applicationId to the request object. - Implemented tests for application-specific invite generation scenarios. * feat: enhance Discord invite generation for super users and improve error logging
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…2582) * refactor: remove short-circuit middleware from Discord invite route * refactor: remove commented short-circuit middleware for Discord invite routes
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| * Short-circuit this POST method for this endpoint | ||
| * Refer https://github.com/Real-Dev-Squad/todo-action-items/issues/269 for more details. | ||
| */ | ||
| router.get("/invite", authenticate, getUserDiscordInvite); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to add a rate-limiting middleware to the sensitive route(s) so that repeated requests from the same client (or IP) are capped within a time window. In Express, this is typically done using a library like express-rate-limit, configured with reasonable windowMs and max settings, and then passed as a middleware in the route definition.
For this file, the minimal, targeted change that preserves existing behavior is:
- Import
express-rate-limitat the top ofroutes/discordactions.js. - Define one or more limiter instances, for example
inviteLimiter, configured specifically for the/inviteendpoints (and optionally reuse the same limiter for both GET and POST on/invite). - Apply that limiter as a middleware before
authenticateon the/inviteroutes (line 40 and 41). This ensures requests are rate-limited even if authentication fails and keeps the rest of the pipeline unchanged. - Leave all other routes untouched unless we want broader protection; to keep the change minimal and precisely aligned with the alert, we will limit it to the invite routes.
Concretely:
- Add a
const rateLimit = require("express-rate-limit");near the otherrequirecalls. - Add a new
const inviteLimiter = rateLimit({ ... })after the imports, with a conservative configuration such as a few tens of requests per 15 minutes. - Update
router.get("/invite", authenticate, getUserDiscordInvite);to includeinviteLimiter(e.g.,router.get("/invite", inviteLimiter, authenticate, getUserDiscordInvite);), and similarly for thePOST /inviteroute.
| @@ -31,14 +31,20 @@ | ||
| const { Services } = require("../constants/bot"); | ||
| const { verifyCronJob } = require("../middlewares/authorizeBot"); | ||
| const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService"); | ||
| const rateLimit = require("express-rate-limit"); | ||
| const router = express.Router(); | ||
|
|
||
| const inviteLimiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 50, // limit each IP to 50 invite requests per windowMs | ||
| }); | ||
|
|
||
| router.post("/groups", authenticate, checkIsVerifiedDiscord, validateGroupRoleBody, createGroupRole); | ||
| router.get("/groups", authenticate, checkIsVerifiedDiscord, validateLazyLoadingParams, getPaginatedAllGroupRoles); | ||
| router.delete("/groups/:groupId", authenticate, checkIsVerifiedDiscord, authorizeRoles([SUPERUSER]), deleteGroupRole); | ||
| router.post("/roles", authenticate, checkIsVerifiedDiscord, validateMemberRoleBody, addGroupRoleToMember); | ||
| router.get("/invite", authenticate, getUserDiscordInvite); | ||
| router.post("/invite", authenticate, checkCanGenerateDiscordLink, generateInviteForUser); | ||
| router.get("/invite", inviteLimiter, authenticate, getUserDiscordInvite); | ||
| router.post("/invite", inviteLimiter, authenticate, checkCanGenerateDiscordLink, generateInviteForUser); | ||
|
|
||
| router.delete("/roles", authenticate, checkIsVerifiedDiscord, deleteRole); | ||
| router.get("/roles", authenticate, checkIsVerifiedDiscord, getGroupsRoleId); |
| @@ -42,7 +42,8 @@ | ||
| "passport-github2": "0.1.12", | ||
| "passport-google-oauth20": "^2.0.0", | ||
| "rate-limiter-flexible": "5.0.3", | ||
| "winston": "3.13.0" | ||
| "winston": "3.13.0", | ||
| "express-rate-limit": "^8.2.1" | ||
| }, | ||
| "devDependencies": { | ||
| "@types/chai": "4.3.16", |
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.2.1 | None |
2 participants
Date: 25 Feb 2026
Developer Name: @AnujChhikara
Issue Ticket Number
PRs going for sync
Description
Documentation Updated?
Under Feature Flag
Database Changes
Breaking Changes
Development Tested?
Screenshots
Screencast_from_2026-02-25_01-19-20.mp4